Barracuda email security gateway (ESG) users have been warned that appliances are still at high risk of compromise due to an “ineffective” patch for flaws issued in May.
In a security notice this week, the FBI revealed that an investigation into the exploitation of CVE-2023-2868 found that although a patch had been issued for vulnerable appliances, there still remains a “risk for continued computer network compromise”.
“Through an investigation of the Barracuda ESG appliance compromise, the FBI discovered additional indicators of compromise, as well as independently verified many of the indicators of compromise in the public domain,” the agency said in its notice.
Barracuda issued a patch for all affected appliances in late May after discovering the vulnerability. The company said at the time it believed the flaw had been actively exploited for “several months” dating back to October 2022.
The vulnerability enabled threat actors to obtain “unauthorized access to a subset of ESG appliances”, and attackers were found to have deployed two malware strains, dubbed ‘Saltwater’ and ‘Seaspy’, on the affected devices.
Discover the business and personal implications of ransomware, and how organizations are defending against attacks today.
DOWNLOAD FOR FREE
Barracuda later advised customers to replace affected appliances after an investigation found it couldn’t guarantee user safety or the removal of said malware.
“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company said at the time. “Impacted ESG appliances must be immediately replaced regardless of patch version level.”
The FBI’s latest update echoes Barracuda’s advisory to customers, urging them to remove affected devices.
“The patches released by Barracuda in response to this CVE were ineffective,” the agency said. “Barracuda customers should remove all ESG appliances immediately.”
The agency also advised users to investigate signs of further exploitation by referring to its list of compromise indicators and “conducting scans for outgoing connections”
“Customers who used enterprise privileged credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behavior of any credentials used on their devices.”
Chinese-linked exploitation
Analysis from Mandiant suggests that Chinese-linked threat actors have been involved in exploiting the flaw. A group dubbed ‘UNC4841 was identified as the culprit behind the attacks on the affected devices, the security firm said.
“Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868,” said Mandiant CEO Kevin Mandia.
“This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide.”
